Essentia Health is an integrated health system providing services in the states of Minnesota, North Dakota, Wisconsin and Idaho. Notifications sent to over 1,000 Essentia Health patients stated that some of their protected health information (PHI) were exposed.

Just like a lot of healthcare providers, Essentia Health associates with a third-party vendor providing billing services to allow retrieval of lost income. Nemadji Research Corportion in Bruno, MN is the firm that provided the billing services.

Essentia Health gave Nemadji access to selected types of PHI to enable the company to do its contracted services. There is no mention by Essentia Health in its substitute breach notice posted on its webpage about the exact types of information exposed.

Nemadji identified strange activity in the email account of an employee on March 28, 2019. The investigation showed that the employee became victim of a phishing scam and the attacker was able to get his login credentials. The attacker had unauthorized access to the account for several hours before Nemadji’s IT department deactivated the account.

The succeeding investigation determined that the PHI of some patients of Nemadji’s clients were found in the compromised email account. According to a previous report by The L.A. Times, the PHI of 14,591 Los Angeles Department of Health Services (DHS) patients were exposed because of the phishing attack. The most recent report from Essentia Health indicates that there were still others affected by the breach.

It is presently uncertain how many of Nemadji’s clients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights has not yet posted the breach incident on its breach portal, so there is still no report as to how big the breach had been.